Hackers Wanted — The Ethical Ones

Demand for ethical hackers who hunt for security weaknesses before attackers can take advantage of them is insatiable, as companies scramble to avoid Sony-style hacks and the government attempts to fortify its networks.

The median salary for a certified ethical hacker in the U.S. is about $71,000, according to data through March from the compensation website PayScale.com, for jobs including security analyst and penetration tester, or someone who tries to crack networks to find vulnerabilities. That figure could go as high as $145,000 for information security managers, and more than double that for chief information security officers.

“Demand outweighs supply,” says
Matt Comyns, who recruits for high-level cybersecurity positions at the New York-based headhunting firm Russell Reynolds Associates. “Everybody’s putting a premium on these folks because they’re not so easy to find. They need to be super technical. They need to have a certain sort of DNA to be effective ethical hackers.”

Target’s 2013 data breach offered corporations a preview of how devastating a hack can be for a business’s reputation (and bottom line). Hacks on different companies have been a constant in the news since then. And the hack on Sony Pictures Entertainment, which shut down the company’s computer network and erased data, was a wake-up call for executives.

“When you have big events like that and you start buzzing in the boardroom about ‘what is this worth to us as a company, how do we protect our enterprise?’ — that dialogue has definitely made people rethink this,” Comyns says. “Without a doubt, it’s driven compensation up and budgets up.”

At recent security industry conferences, FBI officials have implored cyber experts to join their ranks and battle computer criminals. The agency posted a notice in December for tech experts to apply for positions as cyber special agents, citing ethical hacking in a list of preferred backgrounds. J.P. Morgan Chase CEO Jamie Dimon said in an annual letter to shareholders that the bank has doubled its cybersecurity personnel in the last two years.

Even the latest installment in CBS’s popular crime series “CSI” is about cybercrime.

Charles Tendell, who has spent about 15 years doing computer forensics, started Azorian Cyber Security in 2012 as a hub for his cyber consulting business. He says he started off as a “hacker kid” but eventually realized corporations wanted paper evidence vouching for his skills, so about five years ago, he passed a “certified ethical hacker” test given by the EC-Council, an information security training center.

Tendell says company clients have become more focused on bolstering their overall security — “companies are willing to go full-out now” — whereas they previously sought to check off boxes to remain compliant with regulations. Consumers also reach out to his company for help protecting themselves, and the business has grown from a one-man show to an operation of about 10 people.

He says the best hackers can identify patterns and chaos in what nobody else can see.

“What you know now will almost certainly be obsolete in a week,” Tendell says. “You have to stay sharp in your game.”